--- /dev/null
+From 00abf69dd24f4444d185982379c5cc3bb7b6d1fc Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 7 May 2019 09:20:54 -0400
+Subject: ceph: flush dirty inodes before proceeding with remount
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 00abf69dd24f4444d185982379c5cc3bb7b6d1fc upstream.
+
+xfstest generic/452 was triggering a "Busy inodes after umount" warning.
+ceph was allowing the mount to go read-only without first flushing out
+dirty inodes in the cache. Ensure we sync out the filesystem before
+allowing a remount to proceed.
+
+Cc: stable@vger.kernel.org
+Link: http://tracker.ceph.com/issues/39571
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/super.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -768,6 +768,12 @@ static void ceph_umount_begin(struct sup
+ return;
+ }
+
++static int ceph_remount(struct super_block *sb, int *flags, char *data)
++{
++ sync_filesystem(sb);
++ return 0;
++}
++
+ static const struct super_operations ceph_super_ops = {
+ .alloc_inode = ceph_alloc_inode,
+ .destroy_inode = ceph_destroy_inode,
+@@ -775,6 +781,7 @@ static const struct super_operations cep
+ .drop_inode = ceph_drop_inode,
+ .sync_fs = ceph_sync_fs,
+ .put_super = ceph_put_super,
++ .remount_fs = ceph_remount,
+ .show_options = ceph_show_options,
+ .statfs = ceph_statfs,
+ .umount_begin = ceph_umount_begin,
--- /dev/null
+From 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb Mon Sep 17 00:00:00 2001
+From: Christoph Probst <kernel@probst.it>
+Date: Tue, 7 May 2019 17:16:40 +0200
+Subject: cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
+
+From: Christoph Probst <kernel@probst.it>
+
+commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream.
+
+Change strcat to strncpy in the "None" case to fix a buffer overflow
+when cinode->oplock is reset to 0 by another thread accessing the same
+cinode. It is never valid to append "None" to any other message.
+
+Consolidate multiple writes to cinode->oplock to reduce raciness.
+
+Signed-off-by: Christoph Probst <kernel@probst.it>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1969,26 +1969,28 @@ smb21_set_oplock_level(struct cifsInodeI
+ unsigned int epoch, bool *purge_cache)
+ {
+ char message[5] = {0};
++ unsigned int new_oplock = 0;
+
+ oplock &= 0xFF;
+ if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE)
+ return;
+
+- cinode->oplock = 0;
+ if (oplock & SMB2_LEASE_READ_CACHING_HE) {
+- cinode->oplock |= CIFS_CACHE_READ_FLG;
++ new_oplock |= CIFS_CACHE_READ_FLG;
+ strcat(message, "R");
+ }
+ if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) {
+- cinode->oplock |= CIFS_CACHE_HANDLE_FLG;
++ new_oplock |= CIFS_CACHE_HANDLE_FLG;
+ strcat(message, "H");
+ }
+ if (oplock & SMB2_LEASE_WRITE_CACHING_HE) {
+- cinode->oplock |= CIFS_CACHE_WRITE_FLG;
++ new_oplock |= CIFS_CACHE_WRITE_FLG;
+ strcat(message, "W");
+ }
+- if (!cinode->oplock)
+- strcat(message, "None");
++ if (!new_oplock)
++ strncpy(message, "None", sizeof(message));
++
++ cinode->oplock = new_oplock;
+ cifs_dbg(FYI, "%s Lease granted on inode %p\n", message,
+ &cinode->vfs_inode);
+ }
--- /dev/null
+From 9f77a60669d13ed4ddfa6cd7374c9d88da378ffa Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Wed, 20 Mar 2019 18:05:08 +0800
+Subject: clk: hi3660: Mark clk_gate_ufs_subsys as critical
+
+From: Leo Yan <leo.yan@linaro.org>
+
+commit 9f77a60669d13ed4ddfa6cd7374c9d88da378ffa upstream.
+
+clk_gate_ufs_subsys is a system bus clock, turning off it will
+introduce lockup issue during system suspend flow. Let's mark
+clk_gate_ufs_subsys as critical clock, thus keeps it on during
+system suspend and resume.
+
+Fixes: d374e6fd5088 ("clk: hisilicon: Add clock driver for hi3660 SoC")
+Cc: stable@vger.kernel.org
+Cc: Zhong Kaihua <zhongkaihua@huawei.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Zhangfei Gao <zhangfei.gao@linaro.org>
+Suggested-by: Dong Zhang <zhangdong46@hisilicon.com>
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/hisilicon/clk-hi3660.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/hisilicon/clk-hi3660.c
++++ b/drivers/clk/hisilicon/clk-hi3660.c
+@@ -163,8 +163,12 @@ static const struct hisi_gate_clock hi36
+ "clk_isp_snclk_mux", CLK_SET_RATE_PARENT, 0x50, 17, 0, },
+ { HI3660_CLK_GATE_ISP_SNCLK2, "clk_gate_isp_snclk2",
+ "clk_isp_snclk_mux", CLK_SET_RATE_PARENT, 0x50, 18, 0, },
++ /*
++ * clk_gate_ufs_subsys is a system bus clock, mark it as critical
++ * clock and keep it on for system suspend and resume.
++ */
+ { HI3660_CLK_GATE_UFS_SUBSYS, "clk_gate_ufs_subsys", "clk_div_sysbus",
+- CLK_SET_RATE_PARENT, 0x50, 21, 0, },
++ CLK_SET_RATE_PARENT | CLK_IS_CRITICAL, 0x50, 21, 0, },
+ { HI3660_PCLK_GATE_DSI0, "pclk_gate_dsi0", "clk_div_cfgbus",
+ CLK_SET_RATE_PARENT, 0x50, 28, 0, },
+ { HI3660_PCLK_GATE_DSI1, "pclk_gate_dsi1", "clk_div_cfgbus",
--- /dev/null
+From fb903392131a324a243c7731389277db1cd9f8df Mon Sep 17 00:00:00 2001
+From: Jonas Karlman <jonas@kwiboo.se>
+Date: Sun, 10 Mar 2019 12:00:45 +0000
+Subject: clk: rockchip: fix wrong clock definitions for rk3328
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+commit fb903392131a324a243c7731389277db1cd9f8df upstream.
+
+This patch fixes definition of several clock gate and select register
+that is wrong for rk3328 referring to the TRM and vendor kernel.
+Also use correct number of softrst registers.
+
+Fix clock definition for:
+- clk_crypto
+- aclk_h265
+- pclk_h265
+- aclk_h264
+- hclk_h264
+- aclk_axisram
+- aclk_gmac
+- aclk_usb3otg
+
+Fixes: fe3511ad8a1c ("clk: rockchip: add clock controller for rk3328")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Tested-by: Peter Geis <pgwipeout@gmail.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/rockchip/clk-rk3328.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/clk/rockchip/clk-rk3328.c
++++ b/drivers/clk/rockchip/clk-rk3328.c
+@@ -458,7 +458,7 @@ static struct rockchip_clk_branch rk3328
+ RK3328_CLKSEL_CON(35), 15, 1, MFLAGS, 8, 7, DFLAGS,
+ RK3328_CLKGATE_CON(2), 12, GFLAGS),
+ COMPOSITE(SCLK_CRYPTO, "clk_crypto", mux_2plls_p, 0,
+- RK3328_CLKSEL_CON(20), 7, 1, MFLAGS, 0, 7, DFLAGS,
++ RK3328_CLKSEL_CON(20), 7, 1, MFLAGS, 0, 5, DFLAGS,
+ RK3328_CLKGATE_CON(2), 4, GFLAGS),
+ COMPOSITE_NOMUX(SCLK_TSADC, "clk_tsadc", "clk_24m", 0,
+ RK3328_CLKSEL_CON(22), 0, 10, DFLAGS,
+@@ -550,15 +550,15 @@ static struct rockchip_clk_branch rk3328
+ GATE(0, "hclk_rkvenc_niu", "hclk_rkvenc", CLK_IGNORE_UNUSED,
+ RK3328_CLKGATE_CON(25), 1, GFLAGS),
+ GATE(ACLK_H265, "aclk_h265", "aclk_rkvenc", 0,
+- RK3328_CLKGATE_CON(25), 0, GFLAGS),
++ RK3328_CLKGATE_CON(25), 2, GFLAGS),
+ GATE(PCLK_H265, "pclk_h265", "hclk_rkvenc", 0,
+- RK3328_CLKGATE_CON(25), 1, GFLAGS),
++ RK3328_CLKGATE_CON(25), 3, GFLAGS),
+ GATE(ACLK_H264, "aclk_h264", "aclk_rkvenc", 0,
+- RK3328_CLKGATE_CON(25), 0, GFLAGS),
++ RK3328_CLKGATE_CON(25), 4, GFLAGS),
+ GATE(HCLK_H264, "hclk_h264", "hclk_rkvenc", 0,
+- RK3328_CLKGATE_CON(25), 1, GFLAGS),
++ RK3328_CLKGATE_CON(25), 5, GFLAGS),
+ GATE(ACLK_AXISRAM, "aclk_axisram", "aclk_rkvenc", CLK_IGNORE_UNUSED,
+- RK3328_CLKGATE_CON(25), 0, GFLAGS),
++ RK3328_CLKGATE_CON(25), 6, GFLAGS),
+
+ COMPOSITE(SCLK_VENC_CORE, "sclk_venc_core", mux_4plls_p, 0,
+ RK3328_CLKSEL_CON(51), 14, 2, MFLAGS, 8, 5, DFLAGS,
+@@ -663,7 +663,7 @@ static struct rockchip_clk_branch rk3328
+
+ /* PD_GMAC */
+ COMPOSITE(ACLK_GMAC, "aclk_gmac", mux_2plls_hdmiphy_p, 0,
+- RK3328_CLKSEL_CON(35), 6, 2, MFLAGS, 0, 5, DFLAGS,
++ RK3328_CLKSEL_CON(25), 6, 2, MFLAGS, 0, 5, DFLAGS,
+ RK3328_CLKGATE_CON(3), 2, GFLAGS),
+ COMPOSITE_NOMUX(PCLK_GMAC, "pclk_gmac", "aclk_gmac", 0,
+ RK3328_CLKSEL_CON(25), 8, 3, DFLAGS,
+@@ -733,7 +733,7 @@ static struct rockchip_clk_branch rk3328
+
+ /* PD_PERI */
+ GATE(0, "aclk_peri_noc", "aclk_peri", CLK_IGNORE_UNUSED, RK3328_CLKGATE_CON(19), 11, GFLAGS),
+- GATE(ACLK_USB3OTG, "aclk_usb3otg", "aclk_peri", 0, RK3328_CLKGATE_CON(19), 4, GFLAGS),
++ GATE(ACLK_USB3OTG, "aclk_usb3otg", "aclk_peri", 0, RK3328_CLKGATE_CON(19), 14, GFLAGS),
+
+ GATE(HCLK_SDMMC, "hclk_sdmmc", "hclk_peri", 0, RK3328_CLKGATE_CON(19), 0, GFLAGS),
+ GATE(HCLK_SDIO, "hclk_sdio", "hclk_peri", 0, RK3328_CLKGATE_CON(19), 1, GFLAGS),
+@@ -894,7 +894,7 @@ static void __init rk3328_clk_init(struc
+ &rk3328_cpuclk_data, rk3328_cpuclk_rates,
+ ARRAY_SIZE(rk3328_cpuclk_rates));
+
+- rockchip_register_softrst(np, 11, reg_base + RK3328_SOFTRST_CON(0),
++ rockchip_register_softrst(np, 12, reg_base + RK3328_SOFTRST_CON(0),
+ ROCKCHIP_SOFTRST_HIWORD_MASK);
+
+ rockchip_register_restart_notifier(ctx, RK3328_GLB_SRST_FST, NULL);
--- /dev/null
+From 40db569d6769ffa3864fd1b89616b1a7323568a8 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Fri, 12 Apr 2019 00:48:34 +0300
+Subject: clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 40db569d6769ffa3864fd1b89616b1a7323568a8 upstream.
+
+There are wrongly set parenthesis in the code that are resulting in a
+wrong configuration being programmed for PLLM. The original fix was made
+by Danny Huang in the downstream kernel. The patch was tested on Nyan Big
+Tegra124 chromebook, PLLM rate changing works correctly now and system
+doesn't lock up after changing the PLLM rate due to EMC scaling.
+
+Cc: <stable@vger.kernel.org>
+Tested-by: Steev Klimaszewski <steev@kali.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/tegra/clk-pll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -662,8 +662,8 @@ static void _update_pll_mnp(struct tegra
+ pll_override_writel(val, params->pmc_divp_reg, pll);
+
+ val = pll_override_readl(params->pmc_divnm_reg, pll);
+- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) |
+- ~(divn_mask(pll) << div_nmp->override_divn_shift);
++ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) |
++ (divn_mask(pll) << div_nmp->override_divn_shift));
+ val |= (cfg->m << div_nmp->override_divm_shift) |
+ (cfg->n << div_nmp->override_divn_shift);
+ pll_override_writel(val, params->pmc_divnm_reg, pll);
--- /dev/null
+From 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 24 Apr 2019 17:05:06 +0200
+Subject: fuse: fix writepages on 32bit
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 upstream.
+
+Writepage requests were cropped to i_size & 0xffffffff, which meant that
+mmaped writes to any file larger than 4G might be silently discarded.
+
+Fix by storing the file size in a properly sized variable (loff_t instead
+of size_t).
+
+Reported-by: Antonio SJ Musumeci <trapexit@spawn.link>
+Fixes: 6eaf4782eb09 ("fuse: writepages: crop secondary requests")
+Cc: <stable@vger.kernel.org> # v3.13
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1525,7 +1525,7 @@ __acquires(fc->lock)
+ {
+ struct fuse_conn *fc = get_fuse_conn(inode);
+ struct fuse_inode *fi = get_fuse_inode(inode);
+- size_t crop = i_size_read(inode);
++ loff_t crop = i_size_read(inode);
+ struct fuse_req *req;
+
+ while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) {
--- /dev/null
+From 0cbade024ba501313da3b7e5dd2a188a6bc491b5 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Thu, 18 Apr 2019 04:04:41 +0800
+Subject: fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
+
+From: Liu Bo <bo.liu@linux.alibaba.com>
+
+commit 0cbade024ba501313da3b7e5dd2a188a6bc491b5 upstream.
+
+fstests generic/228 reported this failure that fuse fallocate does not
+honor what 'ulimit -f' has set.
+
+This adds the necessary inode_newsize_ok() check.
+
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation")
+Cc: <stable@vger.kernel.org> # v3.5
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -2974,6 +2974,13 @@ static long fuse_file_fallocate(struct f
+ }
+ }
+
++ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
++ offset + length > i_size_read(inode)) {
++ err = inode_newsize_ok(inode, offset + length);
++ if (err)
++ return err;
++ }
++
+ if (!(mode & FALLOC_FL_KEEP_SIZE))
+ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+
--- /dev/null
+From 4e0eaf239fb33ebc671303e2b736fa043462e2f4 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 3 May 2019 11:44:34 +0300
+Subject: intel_th: msu: Fix single mode with IOMMU
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 4e0eaf239fb33ebc671303e2b736fa043462e2f4 upstream.
+
+Currently, the pages that are allocated for the single mode of MSC are not
+mapped into the device's dma space and the code is incorrectly using
+*_to_phys() in place of a dma address. This fails with IOMMU enabled and
+is otherwise bad practice.
+
+Fix the single mode buffer allocation to map the pages into the device's
+DMA space.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: ba82664c134e ("intel_th: Add Memory Storage Unit driver")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/msu.c | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/msu.c
++++ b/drivers/hwtracing/intel_th/msu.c
+@@ -92,6 +92,7 @@ struct msc_iter {
+ * @reg_base: register window base address
+ * @thdev: intel_th_device pointer
+ * @win_list: list of windows in multiblock mode
++ * @single_sgt: single mode buffer
+ * @nr_pages: total number of pages allocated for this buffer
+ * @single_sz: amount of data in single mode
+ * @single_wrap: single mode wrap occurred
+@@ -112,6 +113,7 @@ struct msc {
+ struct intel_th_device *thdev;
+
+ struct list_head win_list;
++ struct sg_table single_sgt;
+ unsigned long nr_pages;
+ unsigned long single_sz;
+ unsigned int single_wrap : 1;
+@@ -625,22 +627,45 @@ static void intel_th_msc_deactivate(stru
+ */
+ static int msc_buffer_contig_alloc(struct msc *msc, unsigned long size)
+ {
++ unsigned long nr_pages = size >> PAGE_SHIFT;
+ unsigned int order = get_order(size);
+ struct page *page;
++ int ret;
+
+ if (!size)
+ return 0;
+
++ ret = sg_alloc_table(&msc->single_sgt, 1, GFP_KERNEL);
++ if (ret)
++ goto err_out;
++
++ ret = -ENOMEM;
+ page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
+ if (!page)
+- return -ENOMEM;
++ goto err_free_sgt;
+
+ split_page(page, order);
+- msc->nr_pages = size >> PAGE_SHIFT;
++ sg_set_buf(msc->single_sgt.sgl, page_address(page), size);
++
++ ret = dma_map_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl, 1,
++ DMA_FROM_DEVICE);
++ if (ret < 0)
++ goto err_free_pages;
++
++ msc->nr_pages = nr_pages;
+ msc->base = page_address(page);
+- msc->base_addr = page_to_phys(page);
++ msc->base_addr = sg_dma_address(msc->single_sgt.sgl);
+
+ return 0;
++
++err_free_pages:
++ __free_pages(page, order);
++
++err_free_sgt:
++ sg_free_table(&msc->single_sgt);
++
++err_out:
++ return ret;
+ }
+
+ /**
+@@ -651,6 +676,10 @@ static void msc_buffer_contig_free(struc
+ {
+ unsigned long off;
+
++ dma_unmap_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl,
++ 1, DMA_FROM_DEVICE);
++ sg_free_table(&msc->single_sgt);
++
+ for (off = 0; off < msc->nr_pages << PAGE_SHIFT; off += PAGE_SIZE) {
+ struct page *page = virt_to_page(msc->base + off);
+
--- /dev/null
+From 43a0541e312f7136e081e6bf58f6c8a2e9672688 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Thu, 7 Mar 2019 01:50:07 +0300
+Subject: iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 43a0541e312f7136e081e6bf58f6c8a2e9672688 upstream.
+
+Both Tegra30 and Tegra114 have 4 ASID's and the corresponding bitfield of
+the TLB_FLUSH register differs from later Tegra generations that have 128
+ASID's.
+
+In a result the PTE's are now flushed correctly from TLB and this fixes
+problems with graphics (randomly failing tests) on Tegra30.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/tegra-smmu.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+--- a/drivers/iommu/tegra-smmu.c
++++ b/drivers/iommu/tegra-smmu.c
+@@ -94,7 +94,6 @@ static inline u32 smmu_readl(struct tegr
+ #define SMMU_TLB_FLUSH_VA_MATCH_ALL (0 << 0)
+ #define SMMU_TLB_FLUSH_VA_MATCH_SECTION (2 << 0)
+ #define SMMU_TLB_FLUSH_VA_MATCH_GROUP (3 << 0)
+-#define SMMU_TLB_FLUSH_ASID(x) (((x) & 0x7f) << 24)
+ #define SMMU_TLB_FLUSH_VA_SECTION(addr) ((((addr) & 0xffc00000) >> 12) | \
+ SMMU_TLB_FLUSH_VA_MATCH_SECTION)
+ #define SMMU_TLB_FLUSH_VA_GROUP(addr) ((((addr) & 0xffffc000) >> 12) | \
+@@ -197,8 +196,12 @@ static inline void smmu_flush_tlb_asid(s
+ {
+ u32 value;
+
+- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
+- SMMU_TLB_FLUSH_VA_MATCH_ALL;
++ if (smmu->soc->num_asids == 4)
++ value = (asid & 0x3) << 29;
++ else
++ value = (asid & 0x7f) << 24;
++
++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_MATCH_ALL;
+ smmu_writel(smmu, value, SMMU_TLB_FLUSH);
+ }
+
+@@ -208,8 +211,12 @@ static inline void smmu_flush_tlb_sectio
+ {
+ u32 value;
+
+- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
+- SMMU_TLB_FLUSH_VA_SECTION(iova);
++ if (smmu->soc->num_asids == 4)
++ value = (asid & 0x3) << 29;
++ else
++ value = (asid & 0x7f) << 24;
++
++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_SECTION(iova);
+ smmu_writel(smmu, value, SMMU_TLB_FLUSH);
+ }
+
+@@ -219,8 +226,12 @@ static inline void smmu_flush_tlb_group(
+ {
+ u32 value;
+
+- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
+- SMMU_TLB_FLUSH_VA_GROUP(iova);
++ if (smmu->soc->num_asids == 4)
++ value = (asid & 0x3) << 29;
++ else
++ value = (asid & 0x7f) << 24;
++
++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_GROUP(iova);
+ smmu_writel(smmu, value, SMMU_TLB_FLUSH);
+ }
+
--- /dev/null
+From ee37e62191a59d253fc916b9fc763deb777211e2 Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 2 Apr 2019 14:22:14 +0800
+Subject: md: add mddev->pers to avoid potential NULL pointer dereference
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+commit ee37e62191a59d253fc916b9fc763deb777211e2 upstream.
+
+When doing re-add, we need to ensure rdev->mddev->pers is not NULL,
+which can avoid potential NULL pointer derefence in fallowing
+add_bound_rdev().
+
+Fixes: a6da4ef85cef ("md: re-add a failed disk")
+Cc: Xiao Ni <xni@redhat.com>
+Cc: NeilBrown <neilb@suse.com>
+Cc: <stable@vger.kernel.org> # 4.4+
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -2845,8 +2845,10 @@ state_store(struct md_rdev *rdev, const
+ err = 0;
+ }
+ } else if (cmd_match(buf, "re-add")) {
+- if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
+- rdev->saved_raid_disk >= 0) {
++ if (!rdev->mddev->pers)
++ err = -EINVAL;
++ else if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
++ rdev->saved_raid_disk >= 0) {
+ /* clear_bit is performed _after_ all the devices
+ * have their local Faulty bit cleared. If any writes
+ * happen in the meantime in the local node, they
--- /dev/null
+From 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Sun, 24 Mar 2019 20:21:12 -0400
+Subject: media: ov6650: Fix sensor possibly not detected on probe
+
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+
+commit 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 upstream.
+
+After removal of clock_start() from before soc_camera_init_i2c() in
+soc_camera_probe() by commit 9aea470b399d ("[media] soc-camera: switch
+I2C subdevice drivers to use v4l2-clk") introduced in v3.11, the ov6650
+driver could no longer probe the sensor successfully because its clock
+was no longer turned on in advance. The issue was initially worked
+around by adding that missing clock_start() equivalent to OMAP1 camera
+interface driver - the only user of this sensor - but a propoer fix
+should be rather implemented in the sensor driver code itself.
+
+Fix the issue by inserting a delay between the clock is turned on and
+the sensor I2C registers are read for the first time.
+
+Tested on Amstrad Delta with now out of tree but still locally
+maintained omap1_camera host driver.
+
+Fixes: 9aea470b399d ("[media] soc-camera: switch I2C subdevice drivers to use v4l2-clk")
+
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/ov6650.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/ov6650.c
++++ b/drivers/media/i2c/ov6650.c
+@@ -826,6 +826,8 @@ static int ov6650_video_probe(struct i2c
+ if (ret < 0)
+ return ret;
+
++ msleep(20);
++
+ /*
+ * check and show product ID and manufacturer ID
+ */
--- /dev/null
+From f02f3755dbd14fb935d24b14650fff9ba92243b8 Mon Sep 17 00:00:00 2001
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Mon, 6 May 2019 11:57:03 +0800
+Subject: NFS4: Fix v4.0 client state corruption when mount
+
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+
+commit f02f3755dbd14fb935d24b14650fff9ba92243b8 upstream.
+
+stat command with soft mount never return after server is stopped.
+
+When alloc a new client, the state of the client will be set to
+NFS4CLNT_LEASE_EXPIRED.
+
+When the server is stopped, the state manager will work, and accord
+the state to recover. But the state is NFS4CLNT_LEASE_EXPIRED, it
+will drain the slot table and lead other task to wait queue, until
+the client recovered. Then the stat command is hung.
+
+When discover server trunking, the client will renew the lease,
+but check the client state, it lead the client state corruption.
+
+So, we need to call state manager to recover it when detect server
+ip trunking.
+
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4state.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -143,6 +143,10 @@ int nfs40_discover_server_trunking(struc
+ /* Sustain the lease, even if it's empty. If the clientid4
+ * goes stale it's of no use for trunking discovery. */
+ nfs4_schedule_state_renewal(*result);
++
++ /* If the client state need to recover, do it. */
++ if (clp->cl_state)
++ nfs4_schedule_state_manager(clp);
+ }
+ out:
+ return status;
--- /dev/null
+From 440868661f36071886ed360d91de83bd67c73b4f Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Tue, 30 Apr 2019 21:56:24 +0700
+Subject: of: fix clang -Wunsequenced for be32_to_cpu()
+
+From: Phong Tran <tranmanphong@gmail.com>
+
+commit 440868661f36071886ed360d91de83bd67c73b4f upstream.
+
+Now, make the loop explicit to avoid clang warning.
+
+./include/linux/of.h:238:37: warning: multiple unsequenced modifications
+to 'cell' [-Wunsequenced]
+ r = (r << 32) | be32_to_cpu(*(cell++));
+ ^~
+./include/linux/byteorder/generic.h:95:21: note: expanded from macro
+'be32_to_cpu'
+ ^
+./include/uapi/linux/byteorder/little_endian.h:40:59: note: expanded
+from macro '__be32_to_cpu'
+ ^
+./include/uapi/linux/swab.h:118:21: note: expanded from macro '__swab32'
+ ___constant_swab32(x) : \
+ ^
+./include/uapi/linux/swab.h:18:12: note: expanded from macro
+'___constant_swab32'
+ (((__u32)(x) & (__u32)0x000000ffUL) << 24) | \
+ ^
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reported-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/460
+Suggested-by: David Laight <David.Laight@ACULAB.COM>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: stable@vger.kernel.org
+[robh: fix up whitespace]
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/of.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -229,8 +229,8 @@ extern struct device_node *of_find_all_n
+ static inline u64 of_read_number(const __be32 *cell, int size)
+ {
+ u64 r = 0;
+- while (size--)
+- r = (r << 32) | be32_to_cpu(*(cell++));
++ for (; size--; cell++)
++ r = (r << 32) | be32_to_cpu(*cell);
+ return r;
+ }
+
--- /dev/null
+From 8149069db81853570a665f5e5648c0e526dc0e43 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 17 Apr 2019 17:41:23 +0800
+Subject: p54: drop device reference count if fails to enable device
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 8149069db81853570a665f5e5648c0e526dc0e43 upstream.
+
+The function p54p_probe takes an extra reference count of the PCI
+device. However, the extra reference count is not dropped when it fails
+to enable the PCI device. This patch fixes the bug.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Acked-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intersil/p54/p54pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intersil/p54/p54pci.c
++++ b/drivers/net/wireless/intersil/p54/p54pci.c
+@@ -554,7 +554,7 @@ static int p54p_probe(struct pci_dev *pd
+ err = pci_enable_device(pdev);
+ if (err) {
+ dev_err(&pdev->dev, "Cannot enable new PCI device\n");
+- return err;
++ goto err_put;
+ }
+
+ mem_addr = pci_resource_start(pdev, 0);
+@@ -639,6 +639,7 @@ static int p54p_probe(struct pci_dev *pd
+ pci_release_regions(pdev);
+ err_disable_dev:
+ pci_disable_device(pdev);
++err_put:
+ pci_dev_put(pdev);
+ return err;
+ }
--- /dev/null
+From 3e1120f4b57bc12437048494ab56648edaa5b57d Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 6 Apr 2019 16:45:14 +0200
+Subject: parisc: Export running_on_qemu symbol for modules
+
+From: Helge Deller <deller@gmx.de>
+
+commit 3e1120f4b57bc12437048494ab56648edaa5b57d upstream.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+CC: stable@vger.kernel.org # v4.9+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/process.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/parisc/kernel/process.c
++++ b/arch/parisc/kernel/process.c
+@@ -192,6 +192,7 @@ int dump_task_fpu (struct task_struct *t
+ */
+
+ int running_on_qemu __read_mostly;
++EXPORT_SYMBOL(running_on_qemu);
+
+ void __cpuidle arch_cpu_idle_dead(void)
+ {
--- /dev/null
+From 1829dda0e87f4462782ca81be474c7890efe31ce Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 5 May 2019 23:54:34 +0200
+Subject: parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code
+
+From: Helge Deller <deller@gmx.de>
+
+commit 1829dda0e87f4462782ca81be474c7890efe31ce upstream.
+
+LEVEL is a very common word, and now after many years it suddenly
+clashed with another LEVEL define in the DRBD code.
+Rename it to PA_ASM_LEVEL instead.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/assembly.h | 6 +++---
+ arch/parisc/kernel/head.S | 4 ++--
+ arch/parisc/kernel/syscall.S | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/parisc/include/asm/assembly.h
++++ b/arch/parisc/include/asm/assembly.h
+@@ -59,14 +59,14 @@
+ #define LDCW ldcw,co
+ #define BL b,l
+ # ifdef CONFIG_64BIT
+-# define LEVEL 2.0w
++# define PA_ASM_LEVEL 2.0w
+ # else
+-# define LEVEL 2.0
++# define PA_ASM_LEVEL 2.0
+ # endif
+ #else
+ #define LDCW ldcw
+ #define BL bl
+-#define LEVEL 1.1
++#define PA_ASM_LEVEL 1.1
+ #endif
+
+ #ifdef __ASSEMBLY__
+--- a/arch/parisc/kernel/head.S
++++ b/arch/parisc/kernel/head.S
+@@ -22,7 +22,7 @@
+ #include <linux/linkage.h>
+ #include <linux/init.h>
+
+- .level LEVEL
++ .level PA_ASM_LEVEL
+
+ __INITDATA
+ ENTRY(boot_args)
+@@ -254,7 +254,7 @@ stext_pdc_ret:
+ ldo R%PA(fault_vector_11)(%r10),%r10
+
+ $is_pa20:
+- .level LEVEL /* restore 1.1 || 2.0w */
++ .level PA_ASM_LEVEL /* restore 1.1 || 2.0w */
+ #endif /*!CONFIG_64BIT*/
+ load32 PA(fault_vector_20),%r10
+
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -48,7 +48,7 @@ registers).
+ */
+ #define KILL_INSN break 0,0
+
+- .level LEVEL
++ .level PA_ASM_LEVEL
+
+ .text
+
--- /dev/null
+From b438749044356dd1329c45e9b5a9377b6ea13eb2 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 2 Apr 2019 12:17:08 +0200
+Subject: parisc: Skip registering LED when running in QEMU
+
+From: Helge Deller <deller@gmx.de>
+
+commit b438749044356dd1329c45e9b5a9377b6ea13eb2 upstream.
+
+No need to spend CPU cycles when we run on QEMU.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+CC: stable@vger.kernel.org # v4.9+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/parisc/led.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/parisc/led.c
++++ b/drivers/parisc/led.c
+@@ -568,6 +568,9 @@ int __init register_led_driver(int model
+ break;
+
+ case DISPLAY_MODEL_LASI:
++ /* Skip to register LED in QEMU */
++ if (running_on_qemu)
++ return 1;
+ LED_DATA_REG = data_reg;
+ led_func_ptr = led_LASI_driver;
+ printk(KERN_INFO "LED display at %lx registered\n", LED_DATA_REG);
--- /dev/null
+From bdca5d64ee92abeacd6dada0bc6f6f8e6350dd67 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 5 May 2019 23:55:02 +0200
+Subject: parisc: Use PA_ASM_LEVEL in boot code
+
+From: Helge Deller <deller@gmx.de>
+
+commit bdca5d64ee92abeacd6dada0bc6f6f8e6350dd67 upstream.
+
+The LEVEL define clashed with the DRBD code.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/boot/compressed/head.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/boot/compressed/head.S
++++ b/arch/parisc/boot/compressed/head.S
+@@ -22,7 +22,7 @@
+ __HEAD
+
+ ENTRY(startup)
+- .level LEVEL
++ .level PA_ASM_LEVEL
+
+ #define PSW_W_SM 0x200
+ #define PSW_W_BIT 36
+@@ -63,7 +63,7 @@ $bss_loop:
+ load32 BOOTADDR(decompress_kernel),%r3
+
+ #ifdef CONFIG_64BIT
+- .level LEVEL
++ .level PA_ASM_LEVEL
+ ssm PSW_W_SM, %r0 /* set W-bit */
+ depdi 0, 31, 32, %r3
+ #endif
+@@ -72,7 +72,7 @@ $bss_loop:
+
+ startup_continue:
+ #ifdef CONFIG_64BIT
+- .level LEVEL
++ .level PA_ASM_LEVEL
+ rsm PSW_W_SM, %r0 /* clear W-bit */
+ #endif
+
--- /dev/null
+From b1029c9bc078a6f1515f55dd993b507dcc7e3440 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Tue, 7 May 2019 13:41:49 -0400
+Subject: PNFS fallback to MDS if no deviceid found
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+commit b1029c9bc078a6f1515f55dd993b507dcc7e3440 upstream.
+
+If we fail to find a good deviceid while trying to pnfs instead of
+propogating an error back fallback to doing IO to the MDS. Currently,
+code with fals the IO with EINVAL.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Fixes: 8d40b0f14846f ("NFS filelayout:call GETDEVICEINFO after pnfs_layout_process completes"
+Cc: stable@vger.kernel.org # v4.11+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/filelayout/filelayout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/filelayout/filelayout.c
++++ b/fs/nfs/filelayout/filelayout.c
+@@ -904,7 +904,7 @@ fl_pnfs_update_layout(struct inode *ino,
+ status = filelayout_check_deviceid(lo, fl, gfp_flags);
+ if (status) {
+ pnfs_put_lseg(lseg);
+- lseg = ERR_PTR(status);
++ lseg = NULL;
+ }
+ out:
+ return lseg;
--- /dev/null
+From aac42d7f0901c42c5b44d03cd76cc82013ec1f26 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 23 May 2019 10:47:04 +0200
+Subject: Revert "cifs: fix memory leak in SMB2_read"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit c54a881d793e3eea2a1b1460c5778b22128821ea which is
+commit 05fd5c2c61732152a6bddc318aae62d7e436629b upstream.
+
+Lars writes:
+ This patch should not be in 4.14-stable because
+ 088aaf17aa79300cab14dbee2569c58cfafd7d6e was for 4.18+.
+
+ Now we have a double-free crash in SMB2_read because there are 2
+ calls to cifs_small_buf_release in the error path.
+
+It was a mistake to backport it this far, so let's revert it.
+
+Reported-by: Lars Persson <lists@bofh.nu>
+Cc: Ronnie Sahlberg <lsahlber@redhat.com>
+Cc: Pavel Shilovsky <pshilov@microsoft.com>
+Cc: Steve French <stfrench@microsoft.com>
+Cc: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -2699,7 +2699,6 @@ SMB2_read(const unsigned int xid, struct
+ cifs_dbg(VFS, "Send error in read = %d\n", rc);
+ }
+ free_rsp_buf(resp_buftype, rsp_iov.iov_base);
+- cifs_small_buf_release(req);
+ return rc == -ENODATA ? 0 : rc;
+ }
+
tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch
vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch
net-always-descend-into-dsa.patch
+parisc-export-running_on_qemu-symbol-for-modules.patch
+parisc-skip-registering-led-when-running-in-qemu.patch
+parisc-use-pa_asm_level-in-boot-code.patch
+parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd-code.patch
+stm-class-fix-channel-free-in-stm-output-free-path.patch
+stm-class-fix-channel-bitmap-on-32-bit-systems.patch
+md-add-mddev-pers-to-avoid-potential-null-pointer-dereference.patch
+intel_th-msu-fix-single-mode-with-iommu.patch
+p54-drop-device-reference-count-if-fails-to-enable-device.patch
+of-fix-clang-wunsequenced-for-be32_to_cpu.patch
+cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch
+media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch
+revert-cifs-fix-memory-leak-in-smb2_read.patch
+nfs4-fix-v4.0-client-state-corruption-when-mount.patch
+pnfs-fallback-to-mds-if-no-deviceid-found.patch
+clk-hi3660-mark-clk_gate_ufs_subsys-as-critical.patch
+clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch
+clk-rockchip-fix-wrong-clock-definitions-for-rk3328.patch
+fuse-fix-writepages-on-32bit.patch
+fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch
+iommu-tegra-smmu-fix-invalid-asid-bits-on-tegra30-114.patch
+ceph-flush-dirty-inodes-before-proceeding-with-remount.patch
--- /dev/null
+From 51e0f227812ed81a368de54157ebe14396b4be03 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Wed, 17 Apr 2019 10:35:35 +0300
+Subject: stm class: Fix channel bitmap on 32-bit systems
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 51e0f227812ed81a368de54157ebe14396b4be03 upstream.
+
+Commit 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace
+Module devices") naively calculates the channel bitmap size in 64-bit
+chunks regardless of the size of underlying unsigned long, making the
+bitmap half as big on a 32-bit system. This leads to an out of bounds
+access with the upper half of the bitmap.
+
+Fix this by using BITS_TO_LONGS. While at it, convert to using
+struct_size() for the total size calculation of the master struct.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+Reported-by: Mulu He <muluhe@codeaurora.org>
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -174,11 +174,10 @@ stm_master(struct stm_device *stm, unsig
+ static int stp_master_alloc(struct stm_device *stm, unsigned int idx)
+ {
+ struct stp_master *master;
+- size_t size;
+
+- size = ALIGN(stm->data->sw_nchannels, 8) / 8;
+- size += sizeof(struct stp_master);
+- master = kzalloc(size, GFP_ATOMIC);
++ master = kzalloc(struct_size(master, chan_map,
++ BITS_TO_LONGS(stm->data->sw_nchannels)),
++ GFP_ATOMIC);
+ if (!master)
+ return -ENOMEM;
+
--- /dev/null
+From ee496da4c3915de3232b5f5cd20e21ae3e46fe8d Mon Sep 17 00:00:00 2001
+From: Tingwei Zhang <tingwei@codeaurora.org>
+Date: Wed, 17 Apr 2019 10:35:34 +0300
+Subject: stm class: Fix channel free in stm output free path
+
+From: Tingwei Zhang <tingwei@codeaurora.org>
+
+commit ee496da4c3915de3232b5f5cd20e21ae3e46fe8d upstream.
+
+Number of free masters is not set correctly in stm
+free path. Fix this by properly adding the number
+of output channels before setting them to 0 in
+stm_output_disclaim().
+
+Currently it is equivalent to doing nothing since
+master->nr_free is incremented by 0.
+
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+Signed-off-by: Tingwei Zhang <tingwei@codeaurora.org>
+Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Cc: stable@vger.kernel.org # v4.4
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -226,8 +226,8 @@ stm_output_disclaim(struct stm_device *s
+ bitmap_release_region(&master->chan_map[0], output->channel,
+ ilog2(output->nr_chans));
+
+- output->nr_chans = 0;
+ master->nr_free += output->nr_chans;
++ output->nr_chans = 0;
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
